← Back to PullGuard

Privacy Policy

Last updated: April 8, 2026

1. What We Collect

PullGuard collects minimal information necessary to provide the service:

• Account information: Email address (for license key delivery and support)
• Organization/repository names: Used for license key binding and billing
• Payment information: Processed by Stripe; PullGuard does not store credit card numbers

2. What We Do NOT Collect

PullGuard does not collect, transmit, or store:

• Your source code: All analysis runs on your own GitHub Actions runners. Code never leaves your infrastructure.
• Analysis results: Findings, scores, grades, and reports are generated locally and stay in your CI pipeline.
• Usage telemetry (scanner): The PullGuard scanner has zero analytics, tracking, or telemetry. No source code, file contents, or analysis results are sent to PullGuard servers during scans. (Paid tiers send only a license key and repository name for subscription validation — see Section 3. The marketing website uses cookieless Cloudflare Web Analytics for aggregate traffic metrics, plus an optional Cloudflare AI Search assistant that answers questions from our public documentation — see Section 7.)
• Repository contents: The Docker image processes files locally and writes results to stdout and GitHub Actions outputs.

3. External API Calls

During analysis, the scanner makes calls to the following public APIs for license validation, dependency vulnerability, and version checking:

• License validation (pullguard.dev/api/validate) — paid tiers only. Sends your license key and repository name to confirm an active subscription; nothing about your code. The request's source IP is hashed and retained for ≤60 seconds for rate-limiting (see Section 5). A network failure degrades gracefully to the free tier — the scan still runs.
• Rule & compliance registry (pullguard.dev/api/rules) — fetches the signed compliance-control catalog (HIPAA / PCI DSS / NIST / ISO 27001) and the public “actively exploited” CISA KEV threat feed at scan time. An anonymous GET request: it sends no license key, repository name, or code — only a scanner User-Agent string. The catalog is Ed25519-signed and verified before use; an unreachable endpoint degrades to an embedded fallback and the scan still runs.
• OSV API (api.osv.dev) — queries the Open Source Vulnerabilities database for known CVEs. Only package names and versions are sent.
• Package registries (registry.npmjs.org, pypi.org, proxy.golang.org, search.maven.org, rubygems.org) — checks latest versions for dependency freshness scoring. Only package names are sent.

No source code, file contents, or analysis results are transmitted in these API calls. Air-gapped mode disables all external calls using a local vulnerability database.

4. Data Processing

PullGuard is a self-hosted tool. All data processing occurs on your infrastructure:

• The Docker image runs as a container in your GitHub Actions workflow
• Source files are read from the checked-out repository on the runner
• Results are written to the runner's filesystem and GitHub Actions outputs
• No data leaves the runner except the external API calls described above

5. GDPR Compliance

PullGuard processes minimal personal data: email address (for account setup), organization and repository names (for license binding), and source-IP address (used by the licensing Worker for rate limiting). The source IP is always hashed via SHA-256 before storage — your raw IP is never written to our data plane. The hashed value is retained only for the rate-limiting window: ≤60 seconds for licence validation, key retrieval, OTP requests and repo-binding, and up to 24 hours for the abuse-sensitive repo-rebinding endpoint (a longer window is needed to throttle repeated re-bind attempts on an already-bound licence).

We do not process source code on our servers — code is analyzed by the Docker image running on your own GitHub Actions runners and never transmitted to PullGuard infrastructure. Because we do not act as a processor of customer source code, the standard GDPR Article 28 Data Processing Agreement (DPA) requirement does not apply to code analysis itself.

For Enterprise customers who require a signed DPA covering the limited account / billing / license-validation processing we DO perform: see our Data Processing Addendum (executable as an addendum to your subscription terms; standard contractual clauses apply for any sub-processor located outside the EEA).

For questions about data rights or to request a signed DPA, contact hello@pullguard.dev.

6. Data Retention

We retain your email address and organization name for the duration of your subscription. Upon cancellation, account data is deleted within 30 days. We do not retain any source code or analysis results as these never leave your infrastructure.

7. Cookies & Website Services

The PullGuard website (pullguard.dev) uses Cloudflare Web Analytics — a privacy-first, cookieless analytics that measures aggregate page views, traffic sources, and page performance. It sets no cookies, uses no local storage or client-side fingerprinting, and collects no personally identifying data, so no cookie-consent banner is required. We load no cookie-based or cross-site trackers (Google Analytics, Mixpanel, Segment, etc.). The scanner itself remains zero-telemetry (see Section 2).

The website also offers an optional AI search & chat assistant (powered by Cloudflare AI Search) that answers questions using only our public documentation and marketing pages. When you type a query into the search box or chat bubble, that text is sent to Cloudflare to generate a response. Please do not enter personal, confidential, or proprietary information into it. The assistant is opt-in — it processes nothing unless you choose to use it — and it has no access to your source code, account, or scan results.

8. GDPR Rights

If you are in the European Economic Area (EEA), you have the right to:

• Access: Request a copy of any personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a machine-readable format
• Objection: Object to processing of your personal data

To exercise any of these rights, contact hello@pullguard.dev. We will respond within 30 days.

9. Sub-processors & Third-Party Services

PullGuard relies on the following sub-processors for the limited account / billing / license-validation processing we perform. Your source code is never sent to any of them (it stays on your CI runners):

• Stripe (payment processing) — billing data. Stripe's privacy policy applies to payment data; PullGuard does not store card numbers.
• Cloudflare (infrastructure) — hosts the licensing / validation API and the compliance-rule and threat-intelligence endpoints. Processes the requesting IP address (always SHA-256 hashed, never raw; retained ≤60s for most endpoints and up to 24h for repo-rebinding — see Section 5) for rate-limiting, and stores license-token metadata. The marketing site additionally embeds Cloudflare AI Search, which indexes our public documentation and processes the text you type into the on-site search/chat assistant in order to return answers (see Section 7).
• Resend (transactional email) — delivers license keys, one-time codes, and account notifications to the email address you provide at checkout.
• GitHub — the Marketplace Action runs inside your own GitHub Actions runners; the scan reads your repository and writes the PR comment / check using the workflow's own GITHUB_TOKEN.

We do not use any other third-party services for data processing. Enterprise customers requiring a signed sub-processor list / DPA: see our Data Processing Addendum.

10. Contact

For privacy questions or data requests: hello@pullguard.dev